1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * $FreeBSD$ 29 */ 30 31 #ifndef _G_ELI_H_ 32 #define _G_ELI_H_ 33 34 #include <sys/endian.h> 35 #include <sys/errno.h> 36 #include <sys/malloc.h> 37 #include <crypto/sha2/sha256.h> 38 #include <crypto/sha2/sha512.h> 39 #include <opencrypto/cryptodev.h> 40 #ifdef _KERNEL 41 #include <sys/bio.h> 42 #include <sys/libkern.h> 43 #include <sys/lock.h> 44 #include <sys/mutex.h> 45 #include <geom/geom.h> 46 #include <crypto/intake.h> 47 #else 48 #include <assert.h> 49 #include <stdio.h> 50 #include <string.h> 51 #include <strings.h> 52 #endif 53 #include <sys/queue.h> 54 #include <sys/tree.h> 55 #ifndef _OpenSSL_ 56 #include <sys/md5.h> 57 #endif 58 59 #define G_ELI_CLASS_NAME "ELI" 60 #define G_ELI_MAGIC "GEOM::ELI" 61 #define G_ELI_SUFFIX ".eli" 62 63 /* 64 * Version history: 65 * 0 - Initial version number. 66 * 1 - Added data authentication support (md_aalgo field and 67 * G_ELI_FLAG_AUTH flag). 68 * 2 - Added G_ELI_FLAG_READONLY. 69 * 3 - Added 'configure' subcommand. 70 * 4 - IV is generated from offset converted to little-endian 71 * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions). 72 * 5 - Added multiple encrypton keys and AES-XTS support. 73 * 6 - Fixed usage of multiple keys for authenticated providers (the 74 * G_ELI_FLAG_FIRST_KEY flag will be set for older versions). 75 * 7 - Encryption keys are now generated from the Data Key and not from the 76 * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions). 77 */ 78 #define G_ELI_VERSION_00 0 79 #define G_ELI_VERSION_01 1 80 #define G_ELI_VERSION_02 2 81 #define G_ELI_VERSION_03 3 82 #define G_ELI_VERSION_04 4 83 #define G_ELI_VERSION_05 5 84 #define G_ELI_VERSION_06 6 85 #define G_ELI_VERSION_07 7 86 #define G_ELI_VERSION G_ELI_VERSION_07 87 88 /* ON DISK FLAGS. */ 89 /* Use random, onetime keys. */ 90 #define G_ELI_FLAG_ONETIME 0x00000001 91 /* Ask for the passphrase from the kernel, before mounting root. */ 92 #define G_ELI_FLAG_BOOT 0x00000002 93 /* Detach on last close, if we were open for writing. */ 94 #define G_ELI_FLAG_WO_DETACH 0x00000004 95 /* Detach on last close. */ 96 #define G_ELI_FLAG_RW_DETACH 0x00000008 97 /* Provide data authentication. */ 98 #define G_ELI_FLAG_AUTH 0x00000010 99 /* Provider is read-only, we should deny all write attempts. */ 100 #define G_ELI_FLAG_RO 0x00000020 101 /* Don't pass through BIO_DELETE requests. */ 102 #define G_ELI_FLAG_NODELETE 0x00000040 103 /* This GELI supports GELIBoot */ 104 #define G_ELI_FLAG_GELIBOOT 0x00000080 105 /* Hide passphrase length in GELIboot. */ 106 #define G_ELI_FLAG_GELIDISPLAYPASS 0x00000100 107 /* Expand provider automatically. */ 108 #define G_ELI_FLAG_AUTORESIZE 0x00000200 109 110 /* RUNTIME FLAGS. */ 111 /* Provider was open for writing. */ 112 #define G_ELI_FLAG_WOPEN 0x00010000 113 /* Destroy device. */ 114 #define G_ELI_FLAG_DESTROY 0x00020000 115 /* Provider uses native byte-order for IV generation. */ 116 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 117 /* Provider uses single encryption key. */ 118 #define G_ELI_FLAG_SINGLE_KEY 0x00080000 119 /* Device suspended. */ 120 #define G_ELI_FLAG_SUSPEND 0x00100000 121 /* Provider uses first encryption key. */ 122 #define G_ELI_FLAG_FIRST_KEY 0x00200000 123 /* Provider uses IV-Key for encryption key generation. */ 124 #define G_ELI_FLAG_ENC_IVKEY 0x00400000 125 126 #define G_ELI_NEW_BIO 255 127 128 #define SHA512_MDLEN 64 129 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 130 131 #define G_ELI_MAXMKEYS 2 132 #define G_ELI_MAXKEYLEN 64 133 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 134 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 135 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 136 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 137 #define G_ELI_SALTLEN 64 138 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 139 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 140 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 141 #define G_ELI_OVERWRITES 5 142 /* Switch data encryption key every 2^20 blocks. */ 143 #define G_ELI_KEY_SHIFT 20 144 145 #define G_ELI_CRYPTO_UNKNOWN 0 146 #define G_ELI_CRYPTO_HW 1 147 #define G_ELI_CRYPTO_SW 2 148 149 #ifdef _KERNEL 150 #if (MAX_KEY_BYTES < G_ELI_DATAIVKEYLEN) 151 #error "MAX_KEY_BYTES is less than G_ELI_DATAKEYLEN" 152 #endif 153 154 extern int g_eli_debug; 155 extern u_int g_eli_overwrites; 156 extern u_int g_eli_batch; 157 158 #define G_ELI_DEBUG(lvl, ...) \ 159 _GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), NULL, __VA_ARGS__) 160 #define G_ELI_LOGREQ(lvl, bp, ...) \ 161 _GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), (bp), __VA_ARGS__) 162 163 struct g_eli_worker { 164 struct g_eli_softc *w_softc; 165 struct proc *w_proc; 166 void *w_first_key; 167 u_int w_number; 168 crypto_session_t w_sid; 169 boolean_t w_active; 170 LIST_ENTRY(g_eli_worker) w_next; 171 }; 172 173 #endif /* _KERNEL */ 174 175 struct g_eli_softc { 176 struct g_geom *sc_geom; 177 u_int sc_version; 178 u_int sc_crypto; 179 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 180 uint8_t sc_ekey[G_ELI_DATAKEYLEN]; 181 TAILQ_HEAD(, g_eli_key) sc_ekeys_queue; 182 RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree; 183 struct mtx sc_ekeys_lock; 184 uint64_t sc_ekeys_total; 185 uint64_t sc_ekeys_allocated; 186 u_int sc_ealgo; 187 u_int sc_ekeylen; 188 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 189 u_int sc_aalgo; 190 u_int sc_akeylen; 191 u_int sc_alen; 192 SHA256_CTX sc_akeyctx; 193 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 194 SHA256_CTX sc_ivctx; 195 int sc_nkey; 196 uint32_t sc_flags; 197 int sc_inflight; 198 off_t sc_mediasize; 199 size_t sc_sectorsize; 200 off_t sc_provsize; 201 u_int sc_bytes_per_sector; 202 u_int sc_data_per_sector; 203 #ifndef _KERNEL 204 int sc_cpubind; 205 #else /* _KERNEL */ 206 boolean_t sc_cpubind; 207 208 /* Only for software cryptography. */ 209 struct bio_queue_head sc_queue; 210 struct mtx sc_queue_mtx; 211 LIST_HEAD(, g_eli_worker) sc_workers; 212 #endif /* _KERNEL */ 213 }; 214 #define sc_name sc_geom->name 215 216 #define G_ELI_KEY_MAGIC 0xe11341c 217 218 struct g_eli_key { 219 /* Key value, must be first in the structure. */ 220 uint8_t gek_key[G_ELI_DATAKEYLEN]; 221 /* Magic. */ 222 int gek_magic; 223 /* Key number. */ 224 uint64_t gek_keyno; 225 /* Reference counter. */ 226 int gek_count; 227 /* Keeps keys sorted by most recent use. */ 228 TAILQ_ENTRY(g_eli_key) gek_next; 229 /* Keeps keys sorted by number. */ 230 RB_ENTRY(g_eli_key) gek_link; 231 }; 232 233 struct g_eli_metadata { 234 char md_magic[16]; /* Magic value. */ 235 uint32_t md_version; /* Version number. */ 236 uint32_t md_flags; /* Additional flags. */ 237 uint16_t md_ealgo; /* Encryption algorithm. */ 238 uint16_t md_keylen; /* Key length. */ 239 uint16_t md_aalgo; /* Authentication algorithm. */ 240 uint64_t md_provsize; /* Provider's size. */ 241 uint32_t md_sectorsize; /* Sector size. */ 242 uint8_t md_keys; /* Available keys. */ 243 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 244 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 245 /* Encrypted master key (IV-key, Data-key, HMAC). */ 246 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 247 u_char md_hash[16]; /* MD5 hash. */ 248 } __packed; 249 #ifndef _OpenSSL_ 250 static __inline void 251 eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap) 252 { 253 u_char *p; 254 255 p = *datap; 256 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 257 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 258 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 259 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 260 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 261 *p = md->md_keys; p += sizeof(md->md_keys); 262 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 263 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 264 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 265 *datap = p; 266 } 267 static __inline void 268 eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap) 269 { 270 u_char *p; 271 272 p = *datap; 273 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 274 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 275 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 276 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 277 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 278 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 279 *p = md->md_keys; p += sizeof(md->md_keys); 280 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 281 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 282 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 283 *datap = p; 284 } 285 static __inline void 286 eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 287 { 288 uint32_t hash[4]; 289 MD5_CTX ctx; 290 u_char *p; 291 292 p = data; 293 bcopy(md->md_magic, p, sizeof(md->md_magic)); 294 p += sizeof(md->md_magic); 295 le32enc(p, md->md_version); 296 p += sizeof(md->md_version); 297 switch (md->md_version) { 298 case G_ELI_VERSION_00: 299 eli_metadata_encode_v0(md, &p); 300 break; 301 case G_ELI_VERSION_01: 302 case G_ELI_VERSION_02: 303 case G_ELI_VERSION_03: 304 case G_ELI_VERSION_04: 305 case G_ELI_VERSION_05: 306 case G_ELI_VERSION_06: 307 case G_ELI_VERSION_07: 308 eli_metadata_encode_v1v2v3v4v5v6v7(md, &p); 309 break; 310 default: 311 #ifdef _KERNEL 312 panic("%s: Unsupported version %u.", __func__, 313 (u_int)md->md_version); 314 #else 315 assert(!"Unsupported metadata version."); 316 #endif 317 } 318 MD5Init(&ctx); 319 MD5Update(&ctx, data, p - data); 320 MD5Final((void *)hash, &ctx); 321 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 322 bcopy(md->md_hash, p, sizeof(md->md_hash)); 323 } 324 static __inline int 325 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 326 { 327 uint32_t hash[4]; 328 MD5_CTX ctx; 329 const u_char *p; 330 331 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 332 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 333 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 334 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 335 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 336 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 337 md->md_keys = *p; p += sizeof(md->md_keys); 338 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 339 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 340 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 341 MD5Init(&ctx); 342 MD5Update(&ctx, data, p - data); 343 MD5Final((void *)hash, &ctx); 344 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 345 if (bcmp(md->md_hash, p, 16) != 0) 346 return (EINVAL); 347 return (0); 348 } 349 350 static __inline int 351 eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md) 352 { 353 uint32_t hash[4]; 354 MD5_CTX ctx; 355 const u_char *p; 356 357 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 358 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 359 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 360 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 361 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 362 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 363 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 364 md->md_keys = *p; p += sizeof(md->md_keys); 365 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 366 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 367 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 368 MD5Init(&ctx); 369 MD5Update(&ctx, data, p - data); 370 MD5Final((void *)hash, &ctx); 371 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 372 if (bcmp(md->md_hash, p, 16) != 0) 373 return (EINVAL); 374 return (0); 375 } 376 static __inline int 377 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 378 { 379 int error; 380 381 bcopy(data, md->md_magic, sizeof(md->md_magic)); 382 if (strcmp(md->md_magic, G_ELI_MAGIC) != 0) 383 return (EINVAL); 384 md->md_version = le32dec(data + sizeof(md->md_magic)); 385 switch (md->md_version) { 386 case G_ELI_VERSION_00: 387 error = eli_metadata_decode_v0(data, md); 388 break; 389 case G_ELI_VERSION_01: 390 case G_ELI_VERSION_02: 391 case G_ELI_VERSION_03: 392 case G_ELI_VERSION_04: 393 case G_ELI_VERSION_05: 394 case G_ELI_VERSION_06: 395 case G_ELI_VERSION_07: 396 error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md); 397 break; 398 default: 399 error = EOPNOTSUPP; 400 break; 401 } 402 return (error); 403 } 404 #endif /* !_OpenSSL */ 405 406 static __inline u_int 407 g_eli_str2ealgo(const char *name) 408 { 409 410 if (strcasecmp("null", name) == 0) 411 return (CRYPTO_NULL_CBC); 412 else if (strcasecmp("null-cbc", name) == 0) 413 return (CRYPTO_NULL_CBC); 414 else if (strcasecmp("aes", name) == 0) 415 return (CRYPTO_AES_XTS); 416 else if (strcasecmp("aes-cbc", name) == 0) 417 return (CRYPTO_AES_CBC); 418 else if (strcasecmp("aes-xts", name) == 0) 419 return (CRYPTO_AES_XTS); 420 else if (strcasecmp("blowfish", name) == 0) 421 return (CRYPTO_BLF_CBC); 422 else if (strcasecmp("blowfish-cbc", name) == 0) 423 return (CRYPTO_BLF_CBC); 424 else if (strcasecmp("camellia", name) == 0) 425 return (CRYPTO_CAMELLIA_CBC); 426 else if (strcasecmp("camellia-cbc", name) == 0) 427 return (CRYPTO_CAMELLIA_CBC); 428 else if (strcasecmp("3des", name) == 0) 429 return (CRYPTO_3DES_CBC); 430 else if (strcasecmp("3des-cbc", name) == 0) 431 return (CRYPTO_3DES_CBC); 432 return (CRYPTO_ALGORITHM_MIN - 1); 433 } 434 435 static __inline u_int 436 g_eli_str2aalgo(const char *name) 437 { 438 439 if (strcasecmp("hmac/md5", name) == 0) 440 return (CRYPTO_MD5_HMAC); 441 else if (strcasecmp("hmac/sha1", name) == 0) 442 return (CRYPTO_SHA1_HMAC); 443 else if (strcasecmp("hmac/ripemd160", name) == 0) 444 return (CRYPTO_RIPEMD160_HMAC); 445 else if (strcasecmp("hmac/sha256", name) == 0) 446 return (CRYPTO_SHA2_256_HMAC); 447 else if (strcasecmp("hmac/sha384", name) == 0) 448 return (CRYPTO_SHA2_384_HMAC); 449 else if (strcasecmp("hmac/sha512", name) == 0) 450 return (CRYPTO_SHA2_512_HMAC); 451 return (CRYPTO_ALGORITHM_MIN - 1); 452 } 453 454 static __inline const char * 455 g_eli_algo2str(u_int algo) 456 { 457 458 switch (algo) { 459 case CRYPTO_NULL_CBC: 460 return ("NULL"); 461 case CRYPTO_AES_CBC: 462 return ("AES-CBC"); 463 case CRYPTO_AES_XTS: 464 return ("AES-XTS"); 465 case CRYPTO_BLF_CBC: 466 return ("Blowfish-CBC"); 467 case CRYPTO_CAMELLIA_CBC: 468 return ("CAMELLIA-CBC"); 469 case CRYPTO_3DES_CBC: 470 return ("3DES-CBC"); 471 case CRYPTO_MD5_HMAC: 472 return ("HMAC/MD5"); 473 case CRYPTO_SHA1_HMAC: 474 return ("HMAC/SHA1"); 475 case CRYPTO_RIPEMD160_HMAC: 476 return ("HMAC/RIPEMD160"); 477 case CRYPTO_SHA2_256_HMAC: 478 return ("HMAC/SHA256"); 479 case CRYPTO_SHA2_384_HMAC: 480 return ("HMAC/SHA384"); 481 case CRYPTO_SHA2_512_HMAC: 482 return ("HMAC/SHA512"); 483 } 484 return ("unknown"); 485 } 486 487 static __inline void 488 eli_metadata_dump(const struct g_eli_metadata *md) 489 { 490 static const char hex[] = "0123456789abcdef"; 491 char str[sizeof(md->md_mkeys) * 2 + 1]; 492 u_int i; 493 494 printf(" magic: %s\n", md->md_magic); 495 printf(" version: %u\n", (u_int)md->md_version); 496 printf(" flags: 0x%x\n", (u_int)md->md_flags); 497 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 498 printf(" keylen: %u\n", (u_int)md->md_keylen); 499 if (md->md_flags & G_ELI_FLAG_AUTH) 500 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 501 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 502 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 503 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 504 printf("iterations: %d\n", (int)md->md_iterations); 505 bzero(str, sizeof(str)); 506 for (i = 0; i < sizeof(md->md_salt); i++) { 507 str[i * 2] = hex[md->md_salt[i] >> 4]; 508 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 509 } 510 printf(" Salt: %s\n", str); 511 bzero(str, sizeof(str)); 512 for (i = 0; i < sizeof(md->md_mkeys); i++) { 513 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 514 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 515 } 516 printf("Master Key: %s\n", str); 517 bzero(str, sizeof(str)); 518 for (i = 0; i < 16; i++) { 519 str[i * 2] = hex[md->md_hash[i] >> 4]; 520 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 521 } 522 printf(" MD5 hash: %s\n", str); 523 } 524 525 static __inline u_int 526 g_eli_keylen(u_int algo, u_int keylen) 527 { 528 529 switch (algo) { 530 case CRYPTO_NULL_CBC: 531 if (keylen == 0) 532 keylen = 64 * 8; 533 else { 534 if (keylen > 64 * 8) 535 keylen = 0; 536 } 537 return (keylen); 538 case CRYPTO_AES_CBC: 539 case CRYPTO_CAMELLIA_CBC: 540 switch (keylen) { 541 case 0: 542 return (128); 543 case 128: 544 case 192: 545 case 256: 546 return (keylen); 547 default: 548 return (0); 549 } 550 case CRYPTO_AES_XTS: 551 switch (keylen) { 552 case 0: 553 return (128); 554 case 128: 555 case 256: 556 return (keylen); 557 default: 558 return (0); 559 } 560 case CRYPTO_BLF_CBC: 561 if (keylen == 0) 562 return (128); 563 if (keylen < 128 || keylen > 448) 564 return (0); 565 if ((keylen % 32) != 0) 566 return (0); 567 return (keylen); 568 case CRYPTO_3DES_CBC: 569 if (keylen == 0 || keylen == 192) 570 return (192); 571 return (0); 572 default: 573 return (0); 574 } 575 } 576 577 static __inline u_int 578 g_eli_ivlen(u_int algo) 579 { 580 581 switch (algo) { 582 case CRYPTO_AES_XTS: 583 return (AES_XTS_IV_LEN); 584 case CRYPTO_AES_CBC: 585 return (AES_BLOCK_LEN); 586 case CRYPTO_BLF_CBC: 587 return (BLOWFISH_BLOCK_LEN); 588 case CRYPTO_CAMELLIA_CBC: 589 return (CAMELLIA_BLOCK_LEN); 590 case CRYPTO_3DES_CBC: 591 return (DES3_BLOCK_LEN); 592 } 593 return (0); 594 } 595 596 static __inline u_int 597 g_eli_hashlen(u_int algo) 598 { 599 600 switch (algo) { 601 case CRYPTO_MD5_HMAC: 602 return (16); 603 case CRYPTO_SHA1_HMAC: 604 return (20); 605 case CRYPTO_RIPEMD160_HMAC: 606 return (20); 607 case CRYPTO_SHA2_256_HMAC: 608 return (32); 609 case CRYPTO_SHA2_384_HMAC: 610 return (48); 611 case CRYPTO_SHA2_512_HMAC: 612 return (64); 613 } 614 return (0); 615 } 616 617 static __inline off_t 618 eli_mediasize(const struct g_eli_softc *sc, off_t mediasize, u_int sectorsize) 619 { 620 621 if ((sc->sc_flags & G_ELI_FLAG_ONETIME) == 0) { 622 mediasize -= sectorsize; 623 } 624 if ((sc->sc_flags & G_ELI_FLAG_AUTH) == 0) { 625 mediasize -= (mediasize % sc->sc_sectorsize); 626 } else { 627 mediasize /= sc->sc_bytes_per_sector; 628 mediasize *= sc->sc_sectorsize; 629 } 630 631 return (mediasize); 632 } 633 634 static __inline void 635 eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md, 636 u_int sectorsize, off_t mediasize) 637 { 638 639 sc->sc_version = md->md_version; 640 sc->sc_inflight = 0; 641 sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; 642 sc->sc_flags = md->md_flags; 643 /* Backward compatibility. */ 644 if (md->md_version < G_ELI_VERSION_04) 645 sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; 646 if (md->md_version < G_ELI_VERSION_05) 647 sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; 648 if (md->md_version < G_ELI_VERSION_06 && 649 (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { 650 sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; 651 } 652 if (md->md_version < G_ELI_VERSION_07) 653 sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; 654 sc->sc_ealgo = md->md_ealgo; 655 656 if (sc->sc_flags & G_ELI_FLAG_AUTH) { 657 sc->sc_akeylen = sizeof(sc->sc_akey) * 8; 658 sc->sc_aalgo = md->md_aalgo; 659 sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); 660 661 sc->sc_data_per_sector = sectorsize - sc->sc_alen; 662 /* 663 * Some hash functions (like SHA1 and RIPEMD160) generates hash 664 * which length is not multiple of 128 bits, but we want data 665 * length to be multiple of 128, so we can encrypt without 666 * padding. The line below rounds down data length to multiple 667 * of 128 bits. 668 */ 669 sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; 670 671 sc->sc_bytes_per_sector = 672 (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; 673 sc->sc_bytes_per_sector *= sectorsize; 674 } 675 sc->sc_provsize = mediasize; 676 sc->sc_sectorsize = md->md_sectorsize; 677 sc->sc_mediasize = eli_mediasize(sc, mediasize, sectorsize); 678 sc->sc_ekeylen = md->md_keylen; 679 } 680 681 #ifdef _KERNEL 682 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 683 struct g_eli_metadata *md); 684 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 685 struct g_provider *bpp, const struct g_eli_metadata *md, 686 const u_char *mkey, int nkey); 687 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 688 689 int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 690 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 691 692 void g_eli_read_done(struct bio *bp); 693 void g_eli_write_done(struct bio *bp); 694 int g_eli_crypto_rerun(struct cryptop *crp); 695 696 void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); 697 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 698 699 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 700 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 701 #endif 702 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 703 size_t size); 704 705 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 706 int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 707 const unsigned char *key, unsigned char *mkey, unsigned keyp); 708 int g_eli_mkey_decrypt_any(const struct g_eli_metadata *md, 709 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 710 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 711 unsigned char *mkey); 712 #ifdef _KERNEL 713 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 714 #endif 715 716 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 717 const u_char *key, size_t keysize); 718 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 719 const u_char *key, size_t keysize); 720 721 struct hmac_ctx { 722 SHA512_CTX innerctx; 723 SHA512_CTX outerctx; 724 }; 725 726 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const char *hkey, 727 size_t hkeylen); 728 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 729 size_t datasize); 730 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 731 void g_eli_crypto_hmac(const char *hkey, size_t hkeysize, 732 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 733 734 void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, 735 uint64_t keyno); 736 #ifdef _KERNEL 737 void g_eli_key_init(struct g_eli_softc *sc); 738 void g_eli_key_destroy(struct g_eli_softc *sc); 739 void g_eli_key_resize(struct g_eli_softc *sc); 740 uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize); 741 void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey); 742 #endif 743 #endif /* !_G_ELI_H_ */ 744